#!/bin/bash
# Global configuration file for the strongSwan cert-enroll script
#
# This default configuration file should not be edited as the changes
# might get overwritten by software updates. If you just want to adapt
# a few parameters, do this in a 'cert-enroll.conf.local' file which
# will overload the corresponding default values.

# Minimum number of days when a new certificate will be requested
: ${MIN_DAYS=42}

# Interval in days for checking CA certificate changes
: ${CA_CHECK_INTERVAL=7}

# Directory where the certificates and keys will be stored
: ${CERTDIR=/root/certificates}

# Key and certificate names
: ${HOSTKEY=key.pem}
: ${HOSTCERT=cert.pem}
: ${CERTREQ=req.pem}
: ${CAOUT=cacert}
: ${ROOTCA=$CAOUT.pem}
: ${OLDROOTCA=$CAOUT-old.pem}
: ${SUBCA=$CAOUT-1.pem}
: ${OLDSUBCA=$CAOUT-1-old.pem}
: ${RAOUT=racert}
: ${RACERT=$RAOUT.pem}

# TLS root CA certificate required by EST
# (might also be a Let's Encrypt or other third party root CA certificate)
: ${TLSROOTCA=$CERTDIR/$ROOTCA}

# Private key type (either "ECDSA", "RSA", "ED25519" or "ED448")
: ${KEYTYPE=ECDSA}

# RSA private key size in bits
: ${RSA_SIZE=3072}

# ECDSA private key size in bits
: ${ECDSA_SIZE=256}

# User group to be assigned to the private key (used by cert-install-ssl)
: ${USER_GROUP=systemd-journal-upload}

# Systemd service using the private key (used by cert-install-ssl)
: ${SERVICE=systemd-journal-upload}

# Fully Qualified Domain Name and Distinguished Name
: ${FQDN=`hostname`}
: ${DN="C=CH, O=Example Company, CN=$FQDN"}

# Subject Alternative Name (SAN)
: ${SAN=--san $FQDN}

# Optional additional Subject Alternative Names (fill in and uncomment)
: ${ADD_SANS=()}
# ADD_SANS+=(--san )

# Certificate profile (one of "client", "server", "dual" or "ocsp")
: ${PROFILE=dual}

# Enrollment protocol (either "EST" or "SCEP")
: ${PROTOCOL=EST}

# Protocol for fetching CA certificates (either "EST" or "SCEP")
: ${CA_PROTOCOL=$PROTOCOL}

# URL of the EST enrollment server
: ${EST_URL=https://pki.example.com}

# URL of the SCEP enrollment server
: ${SCEP_URL=http://pki.example.com/scep}

# Maximum poll time in seconds for EST enrollment process
: ${EST_MAX_POLL_TIME=28800}

# Maximum poll time in seconds for SCEP enrollment process
: ${SCEP_MAX_POLL_TIME=28800}
